Hi Thomas, On Sun, Jul 07, 2013 at 08:09:42PM +0200, Tomas Pospisek wrote: > Am 05.07.2013 21:51, schrieb Willy Tarreau: > > > > Obviously. Don't worry, this mess is much more common than you can > > think, and personally, I'm really not a fan of transparent proxying. > > I was proud of it when I managed to get it and quickly got fed up > > with all the issues it causes due to the various possible configuration > > errors in field. Not to mention the fact that you have to carefully set > > your timewait timeouts on your machines or ensure that your LB doesn't > > forward IP, otherwise you risk some ACK storms between the clients and > > the server when source ports get reused too fast. > > The reason why we do transparent proxy is: > > - we want to decouple mail processing into its own VM > - we put it on an internatl IP to save routed IPs > - now we need to forward the traffic, which we do via haproxy > - but then the MTA won't see the real source IP address, > which is a problem, because then debugging becomes harder (who's > actually trying and failing to send me some mail?) and because > the IP is a relatively important factor in deciding upon the > spamminess of incoming mail > - therefore TPROXY > > is there a superior alternative to this setup? Or to the more general case?
There is no generally better solution unfortunately, which is why we do have the feature :-) However depending on your mail servers, you may consider other options. For example, postfix supports haproxy's PROXY protocol since version 2.10. Then you can have haproxy pass the client's IP address at the beginning of the connection, and postfix will see it and use it (it even works with postscreen). I'm not aware of other mail servers which support it, though some of them support postfix's XCLIENT, so maybe postfix could be used to translate the protocol in that case :-) Best regards, Willy
